CVE-2023-53958
HTTP Host Header Injection in LDAP Tool Box Password Reset Enables Account Takeover
Publication date: 2025-12-19
Last updated on: 2025-12-19
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ldap_tool_box | self_service_password | 1.5.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-640 | The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2023-53958 is a vulnerability in LDAP Tool Box Self Service Password version 1.5.2 that allows attackers to manipulate the HTTP Host header during the password reset token generation process. By crafting malicious password reset requests with a manipulated Host header, attackers can cause the system to generate password reset tokens that are sent to a server controlled by the attacker. This enables the attacker to intercept and misuse the reset tokens, potentially leading to account takeover without needing prior authentication. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to a full account takeover. An attacker can intercept password reset tokens by manipulating the HTTP Host header and sending password reset emails with malicious links pointing to their own server. If a victim clicks the link, the attacker obtains the valid reset token and can reset the victim's password, gaining unauthorized access to the victim's account. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual or suspicious HTTP Host headers in password reset requests sent to the LDAP Tool Box Self Service Password application, especially requests to the endpoint /?action=sendtoken. You can look for HTTP POST requests with manipulated Host headers that differ from your legitimate domain. For example, using tools like tcpdump or Wireshark to capture HTTP traffic and grep or filter for POST requests to /?action=sendtoken with unexpected Host headers. A sample command to capture such traffic might be: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'POST /?action=sendtoken' or using curl to test by sending crafted requests with altered Host headers to see if the system accepts them. Additionally, reviewing web server logs for password reset requests with Host headers that do not match your expected domain can help detect exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the LDAP Tool Box Self Service Password application to a version later than 1.5.2 where this vulnerability is fixed. If an update is not immediately possible, implement strict validation of the HTTP Host header on the server side to ensure it matches expected domain names before generating password reset tokens or links. Additionally, consider disabling or restricting the password reset functionality temporarily to prevent exploitation. Monitoring logs for suspicious password reset requests and alerting on anomalies can also help mitigate risk until a patch is applied. [1, 2]